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Abstract 

Using Vojvoda approach [33] we demonstrate that cryptographical primitives proposed in [25] are 
vulnerable relative to chosen ciphertcxt attack and chosen plaintext attack. We develop proposed 
in [31) modifications and add some new modifications of known quasigroup based stream ciphers 
[T^l 121)] . Systems of orthogonal n-ary groupoids are used. 
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1 Introduction 

1.1 Basic definitions 

Information on quasigroups and n-ary quasigroups it is possible to find in [UJ [51 ES], on ciphers in 
|21j . Stream-ciphers based on quasigroups and their parastrophes were discovered in the end of the 
XX-th century [TO]. See also [23 El EE] • We give some definitions. 

A sequence x m , x m +i, . . . , x n , where m, n are natural numbers and m < n, will be denoted by x^- 
If m > n, then will be considered empty. The expression 1, n designates the set {1, 2, . . . , n} of 
natural numbers [8j. 

A non-empty set Q together with an n-ary operation A : Q n — > Q, n > 2 is called n-groupoid and 
it is denoted by (Q,A). 

It is convenient to define n-ary quasigroup in the following manner. 

Definition 1. An n-ary groupoid (Q,A) with n-ary operation A such that in the equality A(xi, 
X2, ■ ■ ■ , x n ) = x n+ \ the knowledge of any n elements from the elements x\, X2, ■ ■ ■ , x n , x n+ \ uniquely 
specifies the remaining one is called n-ary quasigroup [8j. 



We give a classical equational definition of binary quasigroup [15]. 

Definition 2. A binary groupoid (Q, A) is called a binary quasigroup if on the set Q there exist 
operations ( 13 )^4 and ( 23 )yl such that in the algebra (Q,A,^ 3 'A,( 23 ^A) the following identities are 
fulfilled: 

A(^A(x,y),y)=x, (1) 
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^A(A(x,y),y)=x, (2) 
A(x,^A(x,y))=y, (3) 
^A(x,A(x,y))=y. (4) 
By tradition the operation A is denoted by •, ( 23 ^ A by \ and ( 13 ^A by /. 

It is well known [6j [281 EH] that any quasigroup (Q, A) defines else five quasigroups, so-called 
parastrophes of quasigroup (Q,A), namely (Q,^A), (Q, (23) A), (Q,^A), (Q,( 123 )A), (Q,( 132 )A). 

It is possible to give equational definition of n-ary quasigroup as a generalization of Definition (2) 
We follow [81 [26]. 

Definition 3. An n-ary groupoid (Q,A) is called an n-ary quasigroup if on the set Q there exist 
operations ^ n +^A, ( 2 > n+1 ) A, ( n > n + l )A such that in the algebra (Q,A, (L^A, . . . , ( n > n+1 )A) the 
following identities are fulfilled for all i € 1, n: 

A(x\-\( i > n + 1 U(xV,x? +1 )=x i , (5) 
(^+ 1 )A« 1 ,A(^),xr +1 )=rE 4 . (6) 

1.2 Quasigroup based cryptosystem 

We give based on binary quasigroup algorithm for secure encoding. We use [29] . 

A quasigroup (Q, •) and its (23)-parastrophe (Q,\) satisfy the following identities x ■ (x\y) = y, 
x\(x ■ y) = y. This is identities Q and ([!]), respectively. 

The authors []j3j propose to use this quasigroup property to construct a stream cipher. 

Algorithm 1. Let Q be a non-empty alphabet, k be a natural number, Ui,V{ € Q, i E {1, k}. Define 
a quasigroup (Q,A). It is clear that the quasigroup (Q, ( 23 U) is defined in a unique way. 

Take a fixed element I (I € Q), which is called a leader. 

Let uiU2--.Uk be a k-tuple of letters from Q. 

It is proposed the following ciphering procedure v\ = A(l, u\),Vi = A(vi-\,Ui), i = 2, k. 
Therefore we obtain the following cipher-text v\Vi . . . v\~. 

The enciphering algorithm is constructed in the following way: u\ = ( 23 ) A(l, v\), Ui = ^ A{vi-\, v $), 
i = 2, 

Indeed ^ A(^_i, Vi ) = ( 23 )A(^_i, A(^_i, «<)) @ u*. 
Remark 1. The equality A = ( 23 ) A is fulfilled if and only if A(x, A(x, y)) = y for all x,y € Q. 
Example 1. Let alphabet A consists from the letters a,b,c. Take the quasigroup (A, •): 
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Then (A, \) has the following Cayley table 



\ 



a b c 



a 



c 



b 



cab 
b c a 
a b c 



Let I = a and open text is u = bbcaacba. Then the cipher text is v = cbbcaaca. Applying of 
decoding function on v we get bbcaacba = u. 

In [2S] the authors claimed that this cipher is resistant to the brute force attack (exhaustive search) 
and to the statistical attack (in many languages some letters meet more frequently, than other letters). 

In dissertation of Milan Vojvoda [34] it is proved that this cipher is not resistant to chosen ci- 
phertext attack and chosen plaintext attack. It is claimed that this cipher is not resistant relatively 
statistical attack (Slovak language). 

There exist few ways to generalize Algorithm [TJ The most obvious way is to increase arity of 
a quasigroup, i.e. instead of binary to apply n-ary (n > 3) quasigroups. This way was proposed 
in [29\ 150] and was realized in [271 ES]- Notice Prof. A. Petrescu writes that he found this n-ary 
generalization independently. 

The second way was proposed in fact in [31] . Namely instead of pair of binary quasigroups it was 
proposed to use a system of n n-ary orthogonal operations (groupoids). 

2 Cryptanalysis of n-ary quasigroup cipher 

Algorithm 2. Let Q be a non-empty alphabet, k be a natural number, Ui,Vi € Q, i € {1, k}. Define 
an n-ary quasigroup (Q, A). It is clear that any quasigroup (Q,^ n+ ^A) for any fixed value i is defined 
in a unique way. Below for simplicity we put i = n. 

Take fixed elements V\ ^ (k £Q), which are called leaders. 

Let uiU2--.Uk be a k-tuple of letters from Q. 

It is proposed the following ciphering ( encryption ) procedure 



v 1 = A(q- 1 ,u 1 ), 

v 2 = A{lf-\u 2 ) 




v n = A(v™~ ,u n ), 
v n+ i = A(v%,u n+ i), 
v n+2 = A(v^ +l ,u n+2 ) 



(7) 



Therefore we obtain the following cipher-text v\V2 ■ ■ ■ , v n -i,v n ,v n +i, 
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The deciphering algorithm also is constructed similarly with binary case: 

Ul = (n,n+l) A{l n-l^ Vi ^ 

u 2 = ^ n+1 ^A(l 2 n n - 2 ,v 2 ), 



_ (n,n+l) A( j(n-l)(n-l) s 
U n -i- ^t n 2-3n.+3 ' V n-1) , g , 

Un+1 = (n,n+l) A{v ^ Vn+i ^ 

u n+2 = ^ n+ ^A(v^ +1 ,v n+2 ), 



Indeed, for example, ("• n+1 )A«- 1 , v n ) = ^ n+ ^A(v^-\ A^ 1 , u n )) = u n . 

Probably there exists a sense to use in Algorithm [2] irreducible 3-ary or 4-ary finite quasigroup 

Remark 2. In equation ([7]) (encryption procedure) and, therefore, in decryption procedure (equation 
([8])) it is possible to use more than one re-quasigroup operation. 

2.1 Chosen ciphertext attack 

We describe chosen ciphertext attack on cipher defined in Algorithm [2] Binary analog of this attack 
is described in [33]. Let Q = {qi, q 2 , . . . , q^}, \Q\ = q and assume the cryptanalyst has access to the 
decryption device loaded with an unknown key. Then he can construct the following ciphertext: 

v\ = qi,v 2 = qi,.. . ,v n -i = qi,v n = qi,v n+1 = q 2 . Then u n = ( n > n+1 ^A(q 1 , . . .,q{). If v n+1 = q 2 , 
then u n+1 = ^ n ' n+1 ^A(q 1 ,. . . ,q 1 ,q 2 ), if v n+2 = q 3 , then u n+2 = ^ n+V > A{qx, . . . , q x , q 2 , #3) and so on. 
Continuing in such manner we can find multiplication table of quasigroup 

(Q : (n,n+l) A ^ therefore 

multiplication table of quasigroup (Q,A) too. Notice, \(Q, A)\ = q n . 

Having multiplication table of quasigroup we can easy encipher any ciphertext start- 

ing from the symbol v n . 



2.2 Chosen ciphertext attack on the leader elements 

In order to decrypt the elements V\, . . . , v n -\ we should know action of (n — l)-tuples of leader elements 
on any element of the set Q. In other words we should know the action of translation Ti(Zi, l 2 ,l n -i, — ), 
T 2 {l n , l n +i, hn-2, -), • • • , r„_i on the set Q. 

It is not difficult to find element-leader using quasigroup (Q,( n ' n+1 )A) in binary case. It is sufficient 
to solve equation ( 23 ) A(l, a) = b for fixed elements a, b G Q. 

Notice for cryptographical purposes it is not necessary to find elements-leaders l\,l 2 . It is sufficient 
to find pair of elements c, d such that ^ 34 - ) A(l±, l 2 ,x) = ( 34 ) A(c, d, x) for all x € Q. For this aims there 
exists a possibility to decrypt q one letter cipher-texts qi, q 2 , . . . , q n in any order. 

In order to establish the action of elements- leaders 1^,1^ on the set Q (action of translation 
T(l3,U,— )) it is possible to decrypt q pair of elements of the form a,q\, a,q 2 , a, q q , where a 
is a fixed element of the set Q. 
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It is possible to unite calculation of action of translations T(l\, l 2 , — ) and T(l 3 , Z4, — ) in one proce- 
dure using by decryption q pairs of elements (qi,qj), where qi 7^ qj, U q i=l qi = Q, U 9 j =1 qj = Q. 
In the similar way it is possible to operate in n-ary case (n > 4). 

Example 2. We give an example of ternary quasigroup (Q,A) of order 4 |8l p. 115]. In some sense 
this quasigroup is non-trivial since it is not an isotope of 3-ary group (Q,f) with the form f(xf) = 
xi + x 2 + x 3 where (Q, +) is a binary group of order 4. Recall there exist two groups of order 4, namely 
cyclic group Z4 and Klein group Z 2 x Z 2 . Any binary quasigroup of order 4 is a group isotope OH]. 
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3, 4(2,3,2) 




4(3,2) = 


= 3. 


Moreover A(Q,l,x) = 


A(2, 



x £ Q. Then translations T(0, 1, — ) and T(2, 3, 
from cryptographical point of view. 



are equal, pairs of leaders (0, 1) and (2, 3) are equal 



2.3 Chosen plaintext attack 

Chosen plaintext attack is similar with chosen ciphertext attack. 

Let assume the cryptanalyst has access to the encryption device loaded with an unknown key. 
Then he can construct the following plaintexts: 

u\ = ?i,«2 = gi,...,n n _i = qi,u n = qi,u n+1 = q 2 . Then v n = A(q 1 , . . . ,qi). If u n+ x = q 2 , then 
v n+1 = A(qi, . . . , qi, q 2 ). If u n+2 = q 3 , then v n+2 = A(qi, . . . , q±, q 2 , q 3 ) and so on. Continuing it in 
such manner we can find multiplication table of quasigroup (Q,A). Notice |(Q,4)| = q n . 

2.4 Chosen plaintext attack on the leader elements 

Chosen plain text attack on leader elements is similar with chosen ciphertext attack on leader elements 
and we omit it. 



3 Ciphers based on orthogonal n-ary groupoids 
3.1 Some definitions 

We give classical definition of orthogonality of n-ary operations [51 IIP], 

Definition 4. n-ary groupoids (Q,fi), (Q,f 2 ), (Q,f n ) are called orthogonal, if for any fixed 
n-tuple a\,a 2 , . . . ,a n the following system of equations 

fi{xi,x 2 , ... ,x n ) = ai 
h{x\,X2, ... ,x n ) = a 2 

, fn(x± , X 2 , . . . , Xn) — Q n 

has a unique solution. 
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There exist various generalizations of definition of orthogonality of n-ary operations. 

Definition 5. n-ary groupoids (Q, fi), (Q, f 2 ), . . . , (Q, fk) (2 < k < n) given on a set Q of order m 
are called orthogonal if the system of equations 

fi(xi,x 2 ,x n ) = ai 
h(x 1 ,X2,x n ) = a 2 

, fk(xi,x 2 ,x n ) = a k 

has exactly m n ~ k solutions for any k-tuple a±, a 2 , ■ ■ ■ , ctjfc, where ai, a 2 , . . . , G Q (see [TT]). 

If = n, then from Definition [5] we obtain standard Definition HI Definition of orthogonality of 
binary systems has rich and long history [TB]. About n-ary case see, for example, |16| . 

Example 3. Operations Ai(x\, x 2 , x$) = 1 • x\ + • x 2 + • X3, A 2 (xi,x 2 , £3) = • x\ + 1 • x 2 + • £3, 
^3(2:1, X2, ^3) = • x\ + • x 2 + 1 • £3 defined over the field R of real numbers (or over a finite field) 
are orthogonal, since the system 

1 • X\ + • X 2 + • X3 = CL\ 

• £1 + 1 • x 2 + • x 3 = a 2 
• xi + • x 2 + 1 • x 3 = a 3 

has a unique solution for any fixed 3-tuple (01,02,03) £ R 3 . 

Notice any pair of ternary operations from Example [3] is orthogonal in sense of Definition 

We follow ideas of V.D. Belousov [7]. See also [TOj [5]. It is easy to see that any system of n 

orthogonal n-ary groupoids (Q, fi) £ G 1, n, defines a permutation of the set Q n and vice versa. Thus 

there exist (o n )! n-ary orthogonal systems on a set of order q. 

3.2 Construction of orthogonal n-ary groupoids 

In the following example will be given a sufficiently convenient and general way for the construction 
of systems of orthogonal n-ary groupoids. 

Example 4. Define operations A\(xi, x 2 , X3), A 2 (x\, x 2 , 23), A3 (xi, x 2 , x$) over the set M = {0, 1, 2} 
in the following way. Take all 27 triplets K = {(Ri, Si, Tj) | Ri, Si,Ti G M, z G 1,27} in any fixed 
order and put 

A!(0,0,0) =R 1 ,A l (0,0,1) =R 2 ,A 1 (0,0,2) =R^...,A X (2,2,2) = i? 27 , 
A 2 (0, 0,0) =51,^(0,0,1) =5 2 ,A 2 (0, 0,2) =5 3) ..., ^2(2, 2,2) = 5 27 , 
A 3 (0,0,0) =Ti, A 3 (0,0,1) =T 2 ,^ 3 (0,0,2) = T 3 , ... ,^(2,2,2) = T 27 . 

The operations A\, A 2 and A3 form a system of orthogonal operations. If we take this 27 triplets in 
other order, then we obtain other system of orthogonal 3-ary groupoids. 

This way gives a possibility to construct easy inverse system B of orthogonal n-ary operations to 
a fixed system A of orthogonal n-ary operations. Recall inverse system means that 5(A(x™)) = x™, 
Xi G Q. 
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Example 5. We give example of three orthogonal ternary groupoids that are defined on four-element 
set {0, 1, 2, 3}. Multiplication table of the first groupoid (in fact, of a quasigroup) is given in Example 
[2j Below we give multiplication tables of other two 3-ary groupoids. 
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From formula (q n )l it follows that there exist (4 3 )! = 64! orthogonal systems of 3-ary groupoids 
over a set of order 4. 

3.3 Ciphers on base of orthogonal systems of n-ary operation 

Here we propose to use a system of orthogonal n-ary groupoids as additional procedure in order to 
construct almost-stream cipher |31j . 

Orthogonal systems of n-ary quasigroups were studied in [32j [33j [2] . Such systems have more 
uniform distribution of elements of base set and therefore such systems may be more preferable in 
protection against statistical cryptanalytic attacks. 

Procedure 1. Let A be a non-empty alphabet, k be a natural number, Ui,Vi £ A, i € {1, ...,&}. 

1. Define a system of n n-ary orthogonal operations (A, fi), i = 1, 2, . . . , n. 

2. We propose the following enciphering procedure Vi = fi(u±,U2, • • • , u n ), i = 1, 2, n. If k < n, 
then we can repeat plaintext or a part of plaintext necessary number of times. 

3. It is possible to apply the ciphering procedure more than one time. Number of applications of 
Step 2 can be non-fixed. 

4- Therefore we obtain the following ciphertext v\Vi...v n . 

The deciphering algorithm is based on the fact that orthogonal system of n n-ary operations 

fi(xi,x 2 , ... ,x n ) = Ol 
h( x i, x 2, ... ,x n ) = a 2 

, fnip^l ; x 2 > ■ ■ ■ i x n) — Q"n 

has a unique solution for any tuple of elements ax, . . . , a n . 
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3.4 Modifications of Procedure [T] 

Following "vector ideas" |22j we propose as the first step to write any letter m of a plaintext as 
n-tuple (n-vector) and after that to apply Procedure [TJ For example it is possible to use a binary 
representation of characters of the alphabet A. 

It is possible to divide plain text u±, . . . ,u n on parts and to use Procedure Q] to some parts, to a 
text a part of which has been ciphered by Procedure [T] on a previous ciphering round. 

It is possible to change in Procedure Q] variables xi,...,Xk (1 < k < (n— 1)) by some fixed elements 
of the set Q and name these elements as leaders. Remark if k = n — 1, then we obtain n chipering 
images from any plain-text letter u. 

In any case the application of only one step Procedure [Tj is not very safe since this procedure is 
not resistant relative to chosen ciphertext attack and chosen plaintext attack. 

If in a system of orthogonal n-ary operations there is at least one n-ary quasigroup, then we can 
apply by ciphering of information Algorithm [2] and Procedure [1] together with some non-periodical 
frequency, i.e., for example, we can apply four times Algorithm [2] and after this we can apply five 
times Procedure Q] and so on. 

It is possible to use as a period sequence decimal representation of an irrational or transcendent 
number. In this case we can take as a key the sequence of application of Algorithm [2] and Procedure 

m 

Proposed modifications make realization of chosen plaintext attack and chosen ciphertext attack 
more complicate. 

Taking into consideration that in binary case one application of Procedure [T] generates from one 
plaintext symbol u two cipher symbols, say v±,V2, we may propose apply Procedure [1] for two plaintext 
symbols (or to one cipher symbol and one plain symbol, else to two cipher symbols) simultaneously. 

The modifications proposed in this subsection need additional researches. 



3.5 Stream-cipher on base of orthogonal system of binary parastrophic quasi- 
groups 

This subsection is more of theoretical than cryptographical character. We propose to use by construc- 
tion of Algorithm [2] and Procedure [T] orthogonal system of binary parastrophic quasigroups. 

We start from the following theorem [23] . Here expression means that quasigroups (Q, A) 

and (Q, ( 23 U) are orthogonal. 

Theorem 1. For a finite quasigroup (Q,A) the following equivalences are fulfilled: 

(i) A±S l2 ">A ((x\z) ■ x = (y\z) ■ y ==> x = y); 

(ii) A^ 13 ^A -<=>• (zx ■ x = zy ■ y =^ x = y); 
(Hi) j4_!_( 23 )j4 <^=^> (x ■ xz = y ■ yz =^> x = y); 

(iv) A-L( 12 '^A (x ■ zx = y ■ zy =^ x = y); 

(v) ^X^ 132 ^ (xz ■ x = yz ■ y ==> x = y) 
for all x,y, z G Q. 

In order to construct quasigroups mentioned in Theorem [1] probably computer search is preferable. 
It is possible to use GAP and Prover |20j . 
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Definition 6. A T-quasigroup (Q, A) is a quasigroup of the form x ■ y = ipx + tpy + a, where (Q, +) 
is an abelian group, ip, ip are some fixed automorphisms of this group, a is a fixed element of the set 

Q MM- 

In order to construct a quasigroup (Q, A) that is orthogonal with its parastrophe in more theoretical 
way it is possible to use the following theorem [23j . 



Theorem 2. For a T-quasigroup (Q,A) of the form A(x,y) = ipx + tpy + a over an abelian group 
(Q, +) the following equivalences are fulfilled: 

(i) AA. l2 A (ip — if}), (ip -\- ip) are permutations of the set Q; 

(ii) j4± 13 A <4=>- (e + ip) is a permutation of the set Q; 
(Hi) A±. 23 A (e + is a permutation of the set Q; 

(iv) AA- 12 ^A <^=^> (if + ip 2 ) is a permutation of the set Q; 

(v) A_L 132 yl <^=^> (ip 2 + ip) is a permutation of the set Q. 

Example 6. We take the cyclic group Z p , where p is prime. For example, p = 257 since the number 
257 is prime. Then T-quasigroup (Q, o) of the form xoy = k- x + m- y + a, k,m,a € Z p , k,m,k + 
m, k — m, k + 1, m + 1, k 2 + m, k + m 2 7^ (mod p), where the operation • is multiplication modulo p, 
is orthogonal to any of its parastrophes. 

Any quasigroup (Q, o) from Example [6] is orthogonal with any of its parastrophes. Therefore these 
quasigroups are suitable objects to construct Procedure [Q and, of course, Algorithm [2j 
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